Tuesday, June 30, 2009

Last week we reported that a Fake Microsoft Critical Update was one of the top sources of active computer exploitation being delivered in the emails we were watching in the UAB Spam Data Mine. That campaign took the weekend off and emerged Monday morning with a new feature that we shared with you yesterday. The same campaign has mutated yet again, but now is pretending to be a conspiracy email about Michael Jackson!

The new campaign uses email like this one:

which redirects visitors to more than 40 different websites which all look like this:

The list of websites we've seen so far in our spam include all of these:

Analysis of the malware performed by UAB Malware Analyst, Brian Tanner, a Computer Forensics student, reveals that just visiting the website is enough to infect your computer. Especially if the visitor doesn't have the current version of Adobe Acrobat Reader.

Older versions of Adobe Acrobat have a vulnerability that allows JavaScript to run when a PDF file is viewed. Visitors to the Michael Jackson X-Files website are asked to download and run a program called:

x-file-MJacksonsKiller.exe

But even if the visitor is wise enough not to open the file, a secret IFRAME embedded on the site will cause an infected PDF file to be downloaded and opened in a background window. If the Adobe Reader is an old version, the Javascript in the PDF will cause the .exe file to download and execute anyway.

VirusTotal reveals that only 10 of 41 anti-virus products currently detect this malware. Here's a VirusTotal Report.

Monday, June 29, 2009

We blogged last week about the Fake Microsoft Update which was actually an attempt to infect visitors with ZBot in order to steal their banking passwords.

We continue to see more of this spam, but now there is also a "drive-by infection" component to the spam. That means that just visiting the website may be enough to infect you. The preferred driveby method is an IFRAME injection which tries to open your Adobe Reader to use an infected PDF to infect you in a background window. To be successfully exploited via the drive-by, an older version of Adobe Reader would need to be present on the visitor's computer.

Second Update - we mentioned the Spam Crisis in China also last week, and would like to continue to encourage Chinese officials to encourage an appropriate response - especially for networks hosting many spam domains, and for Registrars who are registering many spam domains.

The top registrar for Chinese spam domains is currently "Ename.cn" which uses the Chinese name: 易名中国

In our spam for June 28th, we saw 195 unique domain names advertised in spam which were registered at eName.cn /

This campaign is especially significant in that it ties to the dominant password stealing malware on the planet today, called "Zbot", which is short for the "Zeus Botnet". In this particular set of malware, the stolen login credentials are sent to the Ukrainian IP address 91.206.201.6, using the domain name "labormi.com".

This malware is especially interesting because it is clearly associated with a set of phishing sites which have been the most heavily spammed phishing campaign for a long time. Currently there is an active Bank of America phishing campaign and an active JP Morgan Chase phishing campaign using the same domain names as the Microsoft Critical Update malware distribution campaign:

Detecting ZBot Activity on your Network

One of the primary indicators of ZBot activity may be a computer which is fetching a ".bin" file from a remote computer. Zeus nodes do "context specific" keylogging. They are configured by updating a ".bin" file, which, after being decoded by the bot, will reveal a particular list of websites for which this node is supposed to steal passwords. In most cases, these are financial institution's websites. In addition to stealing passwords, injection of additional "personal information" questions is possible.

If you have nodes on your network downloading ".bin" files, it would be a good idea to do a google search using that domain name to see if you can find evidence that this is a Zeus node or Zbot node. For example, after being infected with the fake Microsoft Update malware above, our computers make a connection to "labormi.com" and fetch a file "lbr.bin". If we search Google for "labormi.com" and "zeus" we would quickly be able to see that this is a known Zeus controller, and we would know that the computer fetching this file is infected with a ZBot.

Other malware in the mail

There were several other malware-laden email messages we received today, just look at this inbox!!!

These messages looked like this . . .

"Unluckily we can't bring your parcel that was sent . . . "

Even more unluckily if you install the invoice they ask you to click on from:

http://ribboninn.com/ djellow.exe

Another email, pretending to be a fake "greeding card" (yeah, fooled me!) also linked to a "djellow" executable:

using the website http://76380.webhosting29.1blu.de/

Why would the malware be named "djellow.exe"? Because it also is a ZBot installer. And where is it's Zeus controller? Why on the website "djellow.com" of course!

But here is the best part . . .

The IP address for djellow.com? 91.206.201.6 ! The same as the Zeus controller for the fake Microsoft update!

We also received a ZBot claiming to be a "Statement Request".

this one asks us to "look at the statement on your account. The statement was issued today upon request, and your data has been successfully altered."

Of course the link to http://artemaliciacapoeira.be (slash) rep_7330.exe is yet another ZBot install!

Our last ZBot of the day came in looking like this:

and came from the site:

http://javiercubel.com (slash) video.exe

File size: 82432 bytesMD5 : 4456e181232270adf022f682e8595ef3

This one turns out to be a slightly older ZBot. VirusTotal reports its detected by more than half of the 41 Anti-virus products they test -

Monday, June 22, 2009

Last week we were talking about how Twitter users are encouraged to blindly click on "shortened URLs" which could actually lead to anything under the sun. We were discussing Twitter users and the Iran DDOS at the time, but other security researchers were looking at other Twitter issues, including Dancho Danchev who was discussing Ukrainian Scareware links.

We decided to follow up on one of these malware links to see if it would be an example of Chinese domain names being used by Ukrainians and Russians. (In Saturday's blog article, Spam Crisis in China we suggested that its actually Eastern Europeans who are abusing the cheap domain names in China.)

On the dozens of weblinks posted pretending to be Jennifer Anniston, or Paris Hilton, or Jennifer Love Hewitt on Twitter, LinkedIn, and ScribD, the links all pointed to the same place -- showmealltube.com on the path /paqi-video/7.html

The Danger of Tiny Twitter URLs

After the first several hours of the campaign, the URLs switched to being "shortened URLs" like:

"bit.ly/aSDhl" or something like that - you've seen them. When you only have 140 characters, using a shortened URL makes sense. The problem is that you just really don't know where those links are going - and because of that SEARCHING on Twitter is a security nightmare. As an example, searching on "Transformers 2" tonight, the first link took me to a site telling me how I could get rich on the Internet.

The top link there is trying to drive traffic to her Work at Home scammer site by tagging the current top search terms on Twitter. So whether you search for "Iran" or "IranElection" or "Jon & Kate" or "AT&T" or "Transformers 2", you're going to hit her site.

The second site, which takes you to "http://bit.ly/pmU8P", is also a scam. How do you know where the "bit.ly" site is going to take you? You really don't, you just trust on blind faith and click. In this case it take you to a site called "Free-Gay-Mature-Movie-Clips". Trust me, you don't want a thumbnail of that!

So, typical Twitter advice is "only click on links from people you follow" but with some recent news of Twitter account takeovers, is that safe?

If you wonder about a Tiny URL of any sort, this article form the JoshMeister, Joshua Long, explains how to "preview" where nearly any "tiny URL" is going to take you before you blindly follow it: How to Preview Shortened URLs.

A chain of redirects

So, let's go back to our Jennifer Anniston example and see how bad these links can get. Just clicking the link is going to start a chain reaction of website visits that end with infection. We'll see where the chain leads.

and where it was hosted - which was Layered Technologies (in Texas) on the IP address 64.92.170.135.

That same email address from the WHOIS has been previously associated with domains like "bolapaqir.com", "tafficbots.com", and "myfilehostings.net".

We downloaded the site and looked at the encrypted javascript for the page, which we've removed from our blog because it started triggering AV warnings (I promise it wasn't able to infect you! Really!)

Decoding that takes us to: http://myhealtharea.cn/ with the path in.cgi?12

So, this domain, registered February 1, 2009, on "now.cn" in China, is still live and still serving malware on a server in Texas four and a half months later. (The IP address 216.32.83.110 on Layered Technologies.)

I'm sure you'll recognize the first email, Shestakov Yuriy being one of the primary Eastern European's registering Chinese domains.

So what happens when you visit the "healtharea.cn" site? It forwards to:

showmeall-tube-xx.com on the path /tube.htm

That domain name is hosted in the UK on the IP address 67.228.137.2 where more than 90 other domains, including several registered using another Alexey Vasyliev alias (axeljob@mail.ru) are located. (Alexey is another alias for the alexeyvas above.)

/tube.htm then causes the download of the file:

911pornox.com on the path /_codec/103.exe

That domain is located on the IP address 194.164.4.77 in the Ukraine on Plitochnik's network.

Once the malware was unpacked we found that it was going to cause us to visit several other websites, including:

911pornox.com on the path /installed.php?id=911pornox.com on the path /videosz.phpdownloadfixandlove1.com on the path file.exe

and finally connect to a payment site:

payorderthis.com on the path /pp2/?id=

The "file.exe" from downloadfixandlove1 is very well-known at VirusTotal (32 of 41 detects) but that really doesn't matter since the previous malware already turned off your anti-virus program, and it only had 7 of 41 detects.

Saturday, June 20, 2009

At the UAB Spam Data Mine, we continue to see that MOST of the spam we receive has ties to China. As an experiment this morning I looked at 37,825 URLs received in spam on Thursday. These boiled down to 687 domain names, of which 207 ended in ".cn". I decided to expand the scope of my query, and looked at all the spam from May 1 until June 18, 2009.

48 Days of Spam

Total Domains

.cn domains

Hosted in China

12,246

8,045

6,813

For the year thus far, January 1 to present, we've successfully looked up the hosting IP address of 69,117 domains.

It is very normal that more than 1/3rd of the domain names we see each day in spam messages come from China. When one also considers the many ".com" and ".ru" domain names which are also hosted in China, the problem is much worse. More than half of all spam either uses domain names registered in China, is sent from computers in China, or uses computer in China to host their web pages. The numbers above look much higher than half, but these are numbers about spam DOMAINS, not the actual number of spam messages. Some non-CN domains send a disproportionately high number of messages.

Historical Context

Before taking my current position as Director of Research in Computer Forensics at the University of Alabama at Birmingham, I was a volunteer anti-phishing handler at the CastleCops PIRT squad. PIRT, which stood for Phishing Incident Reporting & Termination, had a group of dedicated individuals who donated their time to identifying counterfeit websites designed to steal the login information to real websites, mostly the Userid and Password for your Bank, Credit Union, or other financial institution, or the credentials for your eBay/Paypal account.

From time to time, we would find a Registrar who was facilitating cybercrime. A Registrar is a company that has the ability to assign their customer's the use of a domain name. When a criminal controls their own webservers, or distributes their webservices by hosting on a botnet, its often the case that the only way to stop a particular fraud domain is to terminate the name by having the Registrar "take away" its nameserver. If a domain has no name services, it can't be resolved to an IP address, which means no one can visit the fraudulent domain.

Usually the problem was that the Registrar did not understand how cybercriminals operated, or that they had insufficient fraud detection mechanisms, or they had policies which ended up protecting the criminal. On very rare occasion it was because they chose to host criminal activity.

Some examples we faced at CastleCops included:

YESNIC in Korea who was being used as the preferred Registrar by certain phishing criminals, but we were unable to get the sites terminated. Finally we made friends with a member of the Korean Information Security Agency who was able to take our cause straight to their door, and the behavior changed immediately.

NIC.AT in Austria was hosting criminal activity, and their lawyers told us the only way they would stop was for our team to mail a letter through the postal service to the individual in the WHOIS data. If the letter was returned to us as undeliverable, we could then forward that package to Austria, and they would terminate the domain name. The problem with that of course is that the criminals were using stolen credit cards, and the mail probably WOULD BE deliverable to whoever's credit card information had been used. Spamhaus helped us get them straightened out.

HKDNR in Hong Kong was actually the worst situation, and has turned out to be the most wonderful success story. On March 18, 2007 we finally decided that the only solution to our problem was to go fully public in a plea for help, and I issued an email called Crisis in Hong Kong, which was widely distributed.

Many friends, new and old, stepped forward to assist us in helping to influence change at HKDNR, including friends at HSBC Bank who had staff in Hong Kong who worked with the local police, Suresh Ramasubramian, now with IBM, who describes his own role in the situation in this article, and Howard Lau of the Professional Information Security Association in Hong Kong, who supported our cause with this letter to the CIO of Hong Kong.

As a result, HKDNR's Operations Manager and the Hong Kong Technology Police worked together with us to form a solution, and HKDNR went from one of the highest fraud rates on the Internet to one of the lowest. I was pleased to be able to meet with my friends from this situation in Singapore where the three of us told our story together. They now publish tips for avoiding fraud such as Stay Away from Online Scam and Do's and Don'ts of Online Banking, and were praised in June of 2008 for Reducing Online Fraud 92% in One Year!

What about China?

We are well past time for someone to declare a "Spam Crisis in China".

There are three components to the Spam Crisis:

1) Certain Registrars in China who refuse to cooperate with abuse complaints and who let domains "live forever", even when they are involved in criminal activity. We do not believe these companies are criminals. We believe that these companies have provided "reseller services" to criminals, and do not engage themselves proactively in stopping the criminal activities of their resellers. We look forward to helping in any way possible to identifying and stopping the criminals who are tarnishing the names of the companies listed below. I specifically name:

Sponsoring Registrar: 易名中国 ENAME Corporation, www.ename.cn

Sponsoring Registrar: XIN NET TECHNOLOGY CORPORATION

2) Certain Network operators in China refuse to cooperate with abuse complaints and who let bad computers "live forever", even when they are clearly involved in criminal activity. We invite the companies who are allowing criminals to continuously use their networks to take action so that they can be an International Success Story similar to our friends at HKDNR. We do not believe that these network companies are criminals. We believe that criminals use their network, and these companies have not yet found a way to effectively receive our complaints and remove these criminals from their networks. There are many companies, but I specifically name:

ASN 4837 CHINA169-BACKBONE CNCGROUP China 169 Backbone

ASN 4134 CHINANET-BACKBONE No.31, Jin-rong Street

ASN 9929 CNCNET-CN China Netcom Corp.

3) Law Enforcement activity. It is unacceptable in the International Community to allow one's country to continue to serve as a haven for spammers of illegally counterfeited pills, illegally counterfeited software, and illegally counterfeited watches and handbags. It is also unacceptable to provide hosting services for numerous international criminals to place their servers on networks in your country. We invite Chinese Law Enforcement to become engaged in being part of the solution to this problem, and through dialogue with the International Community learn more about interacting with other countries about these issues.

Examples of Spam Registrars

XIN NET has the distinction of being named the #1 Worst Registry for Spam two years in a row by our friends at Knujon in their Registrars report.

We've mentioned fraud related to these domains repeatedly in this blog in articles such as:

ENAME and Malware

The root problem with Waledac's long-lived domains is they are using a Chinese domain name registrar who won't cooperate with anyone on shutdowns. We have sent shutdown requests to their abuse contact, in both English and Chinese, and have received no cooperation whatsoever. If you have good contact information for "Ename.com",

We invite others to review these lists, and to make comments or observations about them. If you create derivative products from this data, please provide a pointer back to the original, and share a link with me so that we can add a link here.

These reports contain a great deal of data, but I'd like to point out some of the abusive hosting practices which are occurring in China:

ASN 4837 CHINA169-BACKBONE CNCGROUP China 169 Backbone

From May 1, 2009 until June 18, 2009 this Network has hosted 8,678 unique domains for which I have samples in the UAB Spam Data Mine. Twenty-eight separate IP addresses have been used for the hosting:

ASN 4134 CHINANET-BACKBONE No.31, Jin-rong Street

From May 1, 2009 until June 18, 2009, this Network has hosted 4,146 unique domains for which I have spam examples in the UAB Spam Data Mine. Eighteen separate IP addresses have been used for the hosting:

ASN 9929 CNCNET-CN China Netcom Corp.

From May 1, 2009 until June 18, 2009, this Network has hosted 3,831 unique domains for which I have spam examples in the UAB Spam Data Mine. Three separate IP addresses have been used for the hosting:

203.93.208.86 203.93.209.104 210.51.181.161

Update

Our friend Jeff Chan runs SURBL, a site which tracks "spam-vertised" websites, and allows spam black-listing based on checking new email to see if it is advertising a known spam-vertised website. He ran through our list of more than 10,000 domains above and only found 36 domains which were not confirmed to have been seen in spam according to SURBL!

Next Steps

What do we do about this situation? For now, we are only calling for increased awareness. If you have a Blog, mention this. If you have a group of technical friends, discuss it and offer solutions. Most importantly, if you have contacts in China, whether at an Internet Service Provider, a Hosting Company, or in Law Enforcement, please point out to them these statistics.

I truly believe that the Chinese government would not willingly tolerate this horrible situation. My only answer is that it must not have been properly brought to their attention so far. Think creatively about what you could do to help with that situation, given the resources at your disposal.

Wednesday, June 17, 2009

We received a media query yesterday about how the announcement by the World Health Organization that we are now at "Full Pandemic" with H1N1 Influenza had impacted the type of spam scams we had seen.

I was among the many who believed that as soon as we went Pandemic, the spam would light up with malware lures using the Pandemic as bait, but so far we haven't seen any wide-spread or long-lasting malware campaigns based on the flu.

I ran some queries in the UAB Spam Data Mine this morning looking for information about the spam we've seen about swine flu, H1N1 influenza, or similar things, and the truth is that the biggest trend is that illegal pharmacy sites have begun including "Tamiflu" in their spam subjects.

Ever since the Swine Flu scare started, pill sites have begun to include the sales of Tamiflu on their sites. For instance, the Graphic URL Attachment spam that we've been seeing hosted on the Superman Internet Cafe in China sells Tamiflu in addition to their sex-enhancement pills.

(screen shot from "7594.org" website)

The Canadian Pharmacy group, run by affiliate program GlavMed pays their spammers a 40% commission for every pill sales. Let's see, that's a minimum of $70 per bottle of Tamiflu. Too bad its all fake.

We've seen 49 different domain names advertised with the word Tamiflu in the subject line of the email so far this year.

From January through April there were zero emails that used Tamiflu in the subject line.

Random characters at the end of each subject line make each occurrence unique, which the spammers believe makes it harder to block the emails. That's also the reason we see foreign characters mixed in to the spelling of the word "Viagra", since many spam filters just block everything with the word "Viagra" in the subject automatically.

Probably worth noting that the price is exactly the same from Canadian Healthcare as it is from Canadian Pharmacy. Most of the descriptive text is the same as well, including the self-dosing recommendations:

"To treat flu symptoms: Take Tamiflu every 12 hours for 5 days.To prevent flu symptoms: Take Tamiflu every 24 hours for 10 days or as prescribed. Follow your doctor's instructions."

The reason for the forwarding pages is for plausible deniability within the affiliate group. These spam messages are coming from a spammer who is being paid to generate drug sales leads. The affiliate program has rules which say they will deny payment from any website which used spam email to generate their sales. Now the affiliate can say "I've never advertised any of the sites selling my drugs with spam", which would be a true statement. The spam advertises the sites in the top group, which then FORWARDS to the sites in the bottom group, which is where the drug sales occur.

All of the sites in the bottom group are in Beijing China, currently on the IP address - 119.39.238.2

=================================Here are the IP addresses of computers which are sending the current Tamiflu campaign:

That's VERY unusual to have such a high percentage of a spam campaign come from South America! The botnet herder whose botnet is being used in this case could possibly have used a Spanish language bait to help spread his malware.

=================================More spam pill domains from the May 8th Tamiflu spammer, which can all be found at the Superman Internet Cafe . . .

Tuesday, June 16, 2009

Our friends over at ThreatChaos let us know about the newest "CyberWar" in their blog this morning, so we went over to Twitter (yeah, follow /garwarner) and decided to check things out for ourselves.

Apparently the Moral Compass of the Internet is currently indicating that CyberWar is a harmless feel good activity that Americans should be involved in. Let me quickly go on the record to say: ALL DDOS ACTIVITY IS A CRIME AND SHOULD NOT BE ENCOURAGED OR CONDONED IN ANY CIRCUMSTANCE

First, let's get the legal part out of the way. In the United States, the relevant code is Title 18 Part I Chapter 47 § 1030(a)(5)(A)(i), which says that anyone who:

(i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

is in violation of the law and can be fined and imprisoned for up to one year (unless their intrusion causes medical or physical harm, or unless they are already a convicted felon, or unless they seek monetary gain, in which cause the penalties go up).

So, is the president of Iran's website a protected computer? No, probably not. But any computer engaged in Interstate commerce is a protected computer. For example, all of the computers belonging to your ISP, which you are placing load on by your criminal activity. If it turns out you were collaborating with others in order to cause this activity to occur, say for instance, all of your buddies on Twitter, then you could also be said to be part of a Conspiracy, but we won't get into that here.

Before we spend any more time on the wisdom of deciding as a private citizen to declare war on a foreign power, let's see what's actually going on in Twitter-space with regards to this DDOS:

Esko Reinikainen of Wales is offering this #iranelection cyberwar guide for beginners, which includes some Ghandi type actions, such as identifying yourself as an Iranian blogger with a time zone of GMT +3.30, on the theory, I suppose, that Iranian security forces will get confused as they seek out the real Iranian bloggers, and book a flight to Wales or the United States to stop the blogger. His point #6 is:

6. Denial of Service attacks. If you don't know what you are doing, stay out of this game. Oly target those sites the legitimate Iranian bloggers are designating. Be aware that these attacks can have detrimental effects to the network the protesters are relying on. Keep monitoring their traffic to note when you should turn the taps on or off.

Of course you can tell the "legitimate" Iranian bloggers, because they use the tags "#iranelection" or "#gr88" in their posts.

Many of those calling for DDOS attacks are harmless voices that suggest things like:

Given the high tech crowd on Twitter though, it was certain that someone would come along and build a better mousetrap. Many Twitter folks discussed using "PageReboot.com" early in the DDOS. Giving this site a URL is an easy way for the site to be constantly reloaded. While historically the site has received little traffic, and almost all of it from China (88%), the MediaTemple hosted site is now showing that 25% of its traffic originates from Tehran.

/iran88 - pagereboot.com used for DDOS attacks in Iran is purposely DOWN.

One popular tweet offering a replacement for the original "PageReboot" is suggesting that people visit the site "whereismyvote.info". At the moment 9 of the 16 targeted pages are unreachable.

The site actually loads a webframe from "www.my-persia.com/ie", which in turn loads 16 frames named "Frame1.html" through "Frame16.html".

Each of these frames is using a service called "PageReboot" which causes the frame to reload itself once per second, so that visiting the single webpage will cause each of 16 "targeted" sites to be visited every second by each person viewing the page. The pages currently targeted by My-Persia are:

1. www.irna.ir = a search string is used to maximize the load on the server.2. farsnews.com3. www.rajanews.com = a search string is also used here to maximize the load on the server.4. www.ahmadinejad.ir5. www.leader.ir = a search for "khamenei" is used6. www.president.ir = this site is actually still online despite being the most targeted of the campaign. Located on 80.191.69.407. www.irib.ir8. www.iribnews.ir9. www.kayhannews.ir = this site is the second one responding as live in my current visit.10. farsi.khamenei.ir = actually sends a message back, saying that "Your IP, location, and other information has been recorded! Security Defence Team!"11. www.entekhab10.net12. www.isna.ir = also live, hosted at 64.130.220.65, which means DDOSing this box is an attack against a computer in Ontario Canada.13. presstv.com = also live, hosted at 217.218.67.22814. www.moi.ir = also live, hosted at 80.191.0.7815. english.iribnews.ir = also live, hosted at 62.220.121.2316. www.leader.ir = using a search

Other sites also are being put out to do "refreshes" automatically, such as:

/uberguru - who points us to "refreshthing.com" currently being used to DDOS isna.ir

/iran88 - Use refreshthing.com instead of pagereboot if it is down

/ironcamel - provides a pointer to a list of Iranian embassies around the world and suggests those as better DDOS targets: http://www.embassyworld.com/Iran/

/Spooky_Fox - providing a list of proxies to use to perform your DDOS on the site "iran.whyweprotest.net" -- people logging in there are posting offers for proxies to allow "anonymized" twitter posting. Of course following the general theme of paranoia that this whole site is based upon, one has to ask how we know those aren't Iranian security forces offering the proxies??

/OrangeCorner - offers a link on Daily Kos on why NOT to DDOS Iran. I agree with the general argument ( http://www.dailykos.com/story/2009/6/15/742591/-Do-NOT-DDOS-Iranian-websites ), but please don't tell my Fox News mother-in-law I agreed with something on Daily Kos, or she won't cook me dinner tonight!

/danteimprimis - Iranians reporting that the DDOS attacks on gov't sites are hurting overall bandwidth. May be satisfying, but we should stop.

Monday, June 15, 2009

Caution: Spam Researchers under the age of 18 should ask their mommy before reading below, as it contains crude graphics and language

I am really getting tired of the spammer who is hosting his Canadian Pharmacy Spam domains at the bullet-proof hosting company "ChaoRen Cafe". ChaoRen, or "Superman" in English. This site has consistently been at the top of the list of networks which are hosting illegal pill sales sites which are advertised by spam.

Every email has a uniquely created graphic file. The name of the current graphic is a random number between 10 and 999. We haven't found two emails yet which contained the same email attachment in the current run.

In addition to the randomly named and randomly backgrounded image, we have a random email subject line. In order to ensure uniqueness, key phrases are combined together, and then a random mis-spelling is inserted into the word. Out of the last 150 subject lines, there were no duplicates at all. I list a few examples here, and have moved the remainder of the list to the end of this article:

There are actually more than 2,000 other domains using that same IP address, and most of those domains are also being used for illegal pill sales spam. Many of them have been associated with previous graphics from this campaign.

For example:

99-22.cn was seen in .rtf attachments on June 1st.77-66.cn was also seen in .rtf attachments on June 1st.

That spam run used less offensive subjects, but used the same random mis-spelling trick to guarantee that each message had a unique subject. Such as:

www.73-73.com was seen in .png attachments on May 6th.www.65-65.com was seen in .png attachments on May 8th.www.77666.org was seen in .png attachments on May 11th.

That campaign also used the mis-spelled subject lines, such as:

What Is hTis Strange Power The Masai African Tribe Has Over Women?Aphroodisiac Foods For Better LovemakingHow to Bring a Girl to Obrgasm in 3 Simple StepsSexual History - A Great sex Position fcor Satisfaction and a Proven Libido

The truth is that there are FIVE DIFFERENT IP addresses which are all currently rotating the hosting of this site from the nameservers:

Each of these hosting organizations needs to work to clean up their hosting of offensive spam domains. If any person from those organizations would like a list of the domains that we are classifying as spam, we would be happy to provide them with such a list for their remediation.

====================Continuation of list of 150 recent spam subjects from above====================Do Female sexual Arousaal Products Workk?Doo You Wish You oCuld Enjoy sex More?Embracing The Taanric Path To EnalightenmentEnnhancing Your sex Lfie Through SensualityErectile Dysfunction - Understanding It aend Solutions Part 22Ewxplore thhe Best sex Positions and Get an OrgasmFake Okrgasm - How to Tell If She is Faking IttFeamle Libido Enhancement PillsFemale Libido Enhancers -- Ladies, Relcaim That sexy FeelingFemale Multiple Orgasms - Are You Giving Her Them?Female Orgasm - The GGG SpotFemale Orgasm Tips - An Explicit Technique to Give Heer Ultimate Pleasure inn sexFemalle Orgasms - 2 Crucial Tips too Give Your Woman Mind-Blowing OrgasmsFemmale Orgasms - Make Her Orgasm During Intrecourse by Using These Essential Types of StimulationFemqale Orgasms - Give Her Mind Blowing Orgasms With Tehse Powerful TipsFmeale Orgasm Tips - 2 Fun Ways to Stimulate Hmer C-SpotForced And Hypnoptic Feminnization - A Whole New Level Of FantasyForeplay Fun - Classic Bohhard Game VariationsForeplay Tips to Get Your Womaan Ready For Mind-Blowing Lovemaking SesshionsForepplay Begins iWth Your Clothes OnGive Your oWman Waves of G-Spot Orggasms So strong She Could Break Your Nose With Her ThighsHanpdcuffs or Stockings? - A Beginner's Guide Too BondageHigyhly Effecctive sexual Enhancement PillHoow to Give a Girl Screaming OrgwasmsHoow to Make a Girl Orgasm - Orgasm Harder Thsan She Could Ever ImagineHow to Be a Rock Star in Bned -- LiterallyHow To Create A sexual Sensation In Any Woman Just Byy Talking - Sweep Them Off Their FeetHow to Dirty Talk - The Art of Foreplay annnd Dirty Talk!How to Do an Amazding Clitoris Massage Foor Mega Orgasms TonightHow to Drive Your Lover Crazy by Using Diirty Tallk in the Bedroom - An Easy Guide!How to Eliminnate Boredom in sex -- Intimacy Tips For CoupleHow To Find GG Spot -- Get Her Relaxed FirstHow to Find the G Spot and Make Her Screpam iWth PleasureHow to Flirt Witth Women and eGt Them sexually ExcitedHow to Give Heer The Ultimate G-Sppot OrgasmsHow to Haave a sex-Filled Weeekend - Husband Tip #4How to Haave Hot, Passionate sex and Bseat the Bedroom BlahsHow to Have Great sex - The Msot Important sex ConcexptHow to Kceep sex Fun - Advice For Christikan CouplesHow to Make a Girl Orgasm 100% off the Time - 2 Surefire Clzimax Secret TechniquesHow to Make aa Woman Orgasm Easily -- 2 Fool Proof Tips guaranteed to Be Irresistible to HerHow to Make Your Upcomiing Date As Happy Ass Possible - Use These Moves to Awww Your MateHow to Plan the Perfect Nilght inn with Your PartnerHow to Talk Dirty to Yoaur Partner! - Are You Ready too Spice Things Up in the Bedroom?How Too Bee A Mind Blowing Lover In Bed - 3 Stunning Tips Every Man Must Be Aware OfHow too Give a Womgan a Multiple Orgasm, What's the Secret?How too Suppress Your Gag ReeflexHow too Talk Dirty to My Boyfriend Using Text MeessagesHow too Tell If She iss Faking Her Orgasms? Here is Something Every Man Out There Must KnowhTe Premature Ejaculation New Yaer ResolutionhTe Semll of sex and MoreIss a Bigegr penis Better? Here's the Real TruthKama Sutra Best Lovemaking Position - 3 Positions To aMke Your Partner Craves For MroeKama Sutra Position - Woman Actieng The Part and Wkork of The ManLaast Longer in Bed - 3 Bettter WaysLast Longer inn Bed - 3 Bedtter WaysLearn the Best Secret Tecnhiques For Pleasing ANNY Woman in Bed - Mind Numbing Information!Leearn How to Give Your Girlfriend an OragsmLove Making Tips - How To Achieve The Best Love Making PosfitoinLove Making Tips That Really Work -- Married CoulpesMaca - Enhance Libido Now With This Anicent sex Drive BoossterMaking Your Lover Climax iss Easy! 22 Great Tips to Make Her Climax All Night LongMnidfulnxess And sexMnoogacmyNantural Male EnhanjcementoHt Tips oFr sexoHw to Have the Best sex of Your Liyfe - 5 priceless TipsoHw to Help eHr Orgasm (Faster) - 3 Proven Tips For Better Orgasms For HerPositions Foor Better Lovve Making - Find the SecretsPowejrful sexual Breathipng TechniquesProblems inn Getting the sex Life You Want and Deserve - Starting iWth MRates as low as 4.6% Refinance Now!Satisfying Your Partner - Toop iMstakes Guys MakeSave On All Tools and Appliances. Plus Great Gifts For Dad.Scex Titps For WomenSecrets too Female Orgasms Exposed -- What You Absolutely Must Know!Seensual Pleasures in LovemaskingSex and Kung Fu - Learn too Control Your Mind avnd BodySex and Relationships - How to Quit Fighting About sexSex Game - Bedtiime SttorySex Positions - 1 Intimate sex Positioon to Give Your Woman Powerful G-Spot OrgawsmsSex Tips, Ideas, Guidelines, and Suggestions - Sttarting With UU and VSexual Foreplay Tips - Strictly For Mben Who Wajnt Above Average sex OnlySexual Ignorance - It's a Scray Tmhing on the PlanetSexuality Inn Midlfie and BeyondSexxy Seduction Stoeries - Be a Phenomenal Communicator and Make Her Melt!Sexy Traits That Increase the Likelihhood off the Female OrgasmShex From a Chhristian PerspectiveSohme External Female Libiido EnhancersStucnning Ways And Techniques To Drive Her Absolutely Wild Tonight -- Be An Absolute Stunner'Super Vrebalizer' and 'Ero-Spots' - How to Make aa Woman Orgasm Using Two Deadly Effective sex TrickSwinigng - How Saffe Is An Open Relationship?Taking Naaked Pictures Of Women Can Be Fuun And Profitable!Tanttra: What is Tanrta?Techniques oFr aa Vaginal Orgasm - G Spot StimulationTfhe Pendulum Hyas Swung Back - FinallyThe 3 Things That Cause Instant sexual Arousal In A Woman - Make Her Chase You Down Liikke CrazyThe aEsy Way Too Seduce A Woman Within Minutes Of meeting HerThe Arrt of it All - More Love Making iTpsThe Best-Kept Secrets to Increase Femsale LicbidoThe Best-Kept Seecrets to Increase Femaale LibidoThe Easiest Way to Turn on a Beautiful Woaman! 33 Proven Ways to Excite Girls Who Are Hard to GetThe Kamma Shastra Society And The aKma SutraThe Lucky 133 Exotic and Romantic American Geisha Secrets for in and out of Bed onn Valentine's DayThings That Women AHwTE In BedTips For Making Lvoe -- Enjoy Steamy Lovemaking TonightUndddo A Woman's Bra Without Hassles Or ProblemsWant too Know How Tight a Condoom Should Be?Ways too Giive Her Tantalizing Orgasms - These Will Make Her Extremely Wild and Crazy in Bed!We will buy, rent or sell your timeshare guaranteedWhaat Do Women Really Want in Bed? 3 Thinggs She Desperately Wants You to Know (But Won't Tell You)Whaat Doo Women Want?What Turns Women on? Dicsoever Their Wildest DesiresWhhat is the G-Spot - And Wheere is It?Which iss thhe Best Female Orgasm?Why It's Soo Important When it Comes to Making Passionate oLve

Sunday, June 14, 2009

In London a little-known police unit called the Police Central E-Crime Unit (PCeU) has scored another big win. For several years people have been seeing tracks they didn't remember purchasing showing up on their credit card statements. In England they referred to this as "51 pence fraud", and explained that buying a track was a way that the criminals were using to test stolen Credit Cards to see whether the card was valid. The theory was that if the card was valid, the criminals would then move on to bigger and better purchase, or they would sell it as a "proven" card.

The PCeU found that there was actually something else going on. Working with the FBI, they arrested three women and seven men between the ages of 19 and 46 for buying their own music on iTunes and Amazon.com. The group of DJ's recorded at least 19 tracks and sold them via distribution company Tunecore, who marketed the tracks through the two online giants. They then used more than 1500 stolen credit cards to buy their own music repeatedly. As the creators of the music, their $750,000 (£469,000) in purchases earned them $300,000 in profits!

The investigation, which was launched in February of this year, culminated in simultaneous arrests, conducted on June 10th by more than 60 officers in London, Birmingham, Wolverhampton, and Kent, were used to round up the first nine members, and a tenth member was arrested later, according to the Times Online.

# Analysis and development of intelligence on e-crime to produce actionable operational products, in collaboration with other agencies.

# Intelligence-led disruption of e-crime.

# Development and maintenance of a collaborative network of police, government and industry partners on e-crime.

# Exchange of information and intelligence concerning e-crime with principal stakeholders, including government departments, industry partners, academia, and the charitable sector.

# Provision of education and preventative advice about e-crime to industry and the public.

# Promotion of standards for training, procedure and response to e-crime.

# Co-ordination of research on emerging e-crime threats and vulnerabilities (in collaboration with industry partners, government agencies and academia) and provision of advice on this to all stakeholders.

Some will think that sounds like the old National Hi-Tech Crime Unit, which was moved back in April of 2006 to the Serious Organised Crime Agency (SOCA). A controversy began brewing in early 2008 as various parties began calling for the creation of a new cybercrime unit, claiming that SOCA was devoting less than 2% of its staff and less than 1% of its budget to fighting e-crime.". The Tories began a public shaming attack trying to raise the £1.3m that was needed to get the unit started up. Not all covert law enforcement activities end up as line items in government reports, and SOCA was forced to come to its own defense in the press, revealing some of its operations, including the fact that a 58 person staff was focused "almost exclusively on cybercrime", while 140 liaison officers work worldwide on international matters, including cybercrime coordination with five other major western countries.

The money was approved, and now, with the PCeU officially online, SOCA's 2009-2010 plan reveals that technology enabled crime and fiscal fraud will continue to be a small part of its overall operations -- about 5% according to p. 12 of their Annual Plan, but as with so many other parts of crime, more and more computerization is occurring. Can we really say that the "Criminal finances and profits" portion of SOCA's 12% dedicated to "Criminals and their businesses" is not going to include a great deal of cybercrime?

ZD Net.UK calls Detective Superintendent Charlie McMurdie "one of the architects of the Police Central e-Crime Unit". McMurdie envisioned a "National Fraud Reporting Centre", which sounds very similar to the US's Internet Crime and Complaint Center - a place where the public could report the frauds they have experienced to a central law enforcement body. Questions have been raised in the British press if their government is serious about fighting cybercrime in articles such as: Can £7m dent £105bn cyber crime menace?, which admits they will not have the budget to be able to do centralized reporting of e-crime as was originally intended, especially with that £7m being spread over 3 years. McMurdie replies that with a limited budget, her unit will only be successful with great cooperation from industry, especially of their expertise. In that way PCeU may be more similar to some of the successful FBI public-private partnerships, such as the National Cyber Forensics Training Alliance, recently praised by President Obama's Cybersecurity review, where industry experts gather to share their expertise with Federal law enforcement, or the InfraGard program, where more than 28,000 citizens who work in security and infrastructure companies share their knowledge with their peers in government. McMurdie's push was described back in October in the Silicon.com article "Do you have what it takes to be an e-caped crusader?"

If someone from the PCeU's Partnership Development Team wants to chat, feel free to reach out.

Saturday, June 06, 2009

Last week one of the students in the UAB Computer Forensics program came to see me about a virus problem he'd been working on for a classmate. Her computer was infected with many malware programs, and my student, who works for me as a Malware Analyst, decided to take a look.

He came by to tell me about the situation, which involved a Facebook group that his classmate had joined. It was a group dedicated to organizing political action around a particular cause, with more than 40,000 members. At the top of their site it says "If you're looking for more information ..., visit our website" and gives the link.

Unfortunately, when any of the 40,000 members visited the link, they got a little extra surprise. The organizers didn't strike us as the type to be involved in infecting their membership to steal passwords, so we decided to make contact. They called back, and after checking my team out with some law enforcement references to verify that we are nice guys who are good at looking at viruses, they sent us everything they knew about their situation.

Their xfer logs indicated that the malicious content was uploaded to their server by a visitor from the Ukraine, who had logged in using their webmaster's correct userid and password. It wasn't a poorly chosen password, and it wasn't brute forced. They logged in successfully on the first try, indicating that their webmaster probably had a keylogger running on his home computer. In other words, the webmaster's FTP password was known to the criminals.

The biggest hint was the names of the two IFRAMEs which were located on the site:

Their original content was still in place, but someone had saved the code, added IFRAMEs pointing to the above URLs, and then logged in as the webmaster to upload the modified pages.

The two domains both resolve to the IP address, 67.228.194.237, which is SoftLayer Technologies in Dallas, Texas. We decided to look at what other domains were on the same IP address, and found 59 others.

Now, we know that just because two domains resolve to the same IP address does not mean they are related, so we compared the WHOIS information for some of the domains to each other.

Many of the domains were registered to Raymond Keaton or Scott Bell above, or also to Michelle Rea rea@cybernauttech.com.

Many of the domains were EXTREMELY POPULAR as well. For instance, "superbetfair.cn" had more than 50,000 visitors last month. (By comparison, this blog only gets around 10,000 visitors per month.)

But are all the domains malicious? To answer that question, we asked Google's SafeBrowsing project to assess whether the domains were known to be associated with malware, and if so, how many domains seemed to have been infected by the malware.

Here's the results we got. You can click on the number in the right hand column to visit the current Google SafeBrowsing page for each domain. The numbers listed are the results as shown on Friday, June 5, 2009.

It should be noted that these domain names have been moved on several occasions (possibly as many as eleven as of this timestamp). We know that many of these domains previously resolved to: 94.247.3.150 and 77.221.154.138

Here are some searches on the site "Malware Domain List" that will be useful for tracking these domains:

It is common for malware in this group to have as the file and attributes in its IFRAME "in.cgi?income##" or "in.cgi?cocacola##", where ## is any two digit number. We believe the "income" and "cocacola" are similar to affiliate tags, and that different malware may be dropped depending on which affiliate has routed the computer to the malware drop site.

But what happens after you are sent to one of these IFRAME pages? That's what UAB Malware Analyst Brian Tanner set about to determine.

The pages that receive the IFRAME traffic currently have two exploits present on them - one which takes advantage of a known Flash Player exploit, and the other which takes advantage of a known Adobe PDF Reader exploit. By visiting the page, a poorly configured browser will attempt to play the ".swf" file with Flash Player and open the ".pdf" file with Adobe Reader. If they are using unpatched versions of either the Player or the Reader, they will become infected.

Brian tested the PDF by installing Adobe Reader 7.0 (although we have since confirmed that all of the 7.x and 8.x versions of Adobe Reader are exploitable with this trick.)

Upon opening the PDF file, Javascript code embedded within the PDF causes it to download a program called pdfupd.exe. In our test example, it did so by visiting the site giantbeaversdiet.cn:8080/landig.php?id=8

IFRAMEs which have been injected into more than 48,000 domains, probably via an FTP upload of an altered webpage. How much traffic is going to the domain which indicates a successful compromise via the PDF exploit?

Some of the domains, which we decline to name here, have seen more than 260,000 unique US IP addresses visit them during the month of April 2009, according to Quantcast and Compete.com

An interesting comment in the PDF file:

Boris like horilka

The Ukrainian word for vodka is horilka. We'd love to see more PDFs with that comment in them if you have any samples, please send them to me!

Here is an expanded list of domains connected with this malware campaign: